[krbdev.mit.edu #7079] the ftp client can pass an unterminated string to fopen()
The RT System itself via RT
rt-comment at krbdev.mit.edu
Mon Jan 23 18:00:47 EST 2012
>From krb5-bugs-incoming-bounces at PCH.mit.edu Mon Jan 23 18:00:40 2012
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D7DAF3E6B5;
Mon, 23 Jan 2012 18:00:40 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NN0eOP017877;
Mon, 23 Jan 2012 18:00:40 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NMKP5d012447
for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU
[18.9.25.13])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id q0NMJ8Rp013938
for <krb5-bugs at mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
X-AuditID: 1209190d-b7fbf6d0000008ba-e2-4f1ddd2864d3
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP
id 17.A4.02234.82DDD1F4; Mon, 23 Jan 2012 17:20:25 -0500 (EST)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0NMKNoF028107
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs at mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.184.36])
by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
id q0NMKMTR015265
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs at mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.5/8.14.5) with ESMTP id q0NMKMGe013981
for <krb5-bugs at mit.edu>; Mon, 23 Jan 2012 17:20:22 -0500
Received: (from nalin at localhost)
by blade.bos.redhat.com (8.14.5/8.14.5/Submit) id q0NMKLFi013980;
Mon, 23 Jan 2012 17:20:21 -0500
Date: Mon, 23 Jan 2012 17:20:21 -0500
Message-Id: <201201232220.q0NMKLFi013980 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: ftp: unterminated file mode passed to fopen()
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileJIrShJLcpLzFFi42K52LJdRlfzrqy/wZVLXBYND4+zOzB6NJ05
yhzAGMVlk5Kak1mWWqRvl8CV8fbuWeaC+TwVt97cYG5gfMbZxcjJISFgIvHxx1ImEJtRwFvi
zdXj7BBxMYkL99azdTFycQgJnGCUOPqlmQXC2cQk0fpiK5SzlEniR+N9qLKTjBJPb21nhXDa
GCWenbsMNJiDg0VAVeLe42iQubwCdhIP7m9kA7FFBEQlXv49xgJiCwuYSVxtnQpmswHtvjHv
FCuILSTAJdH6aQlYPbMAi8SfNxtYIO4Tl9ix/TTUrdoSn5tnskxgFFzAyLCKUTYlt0o3NzEz
pzg1Wbc4OTEvL7VI10gvN7NELzWldBMjMNCEOCV5dzC+O6h0iFGAg1GJh1dipqy/EGtiWXFl
7iFGSQ4mJVHesjtAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8aueAcrwpiZVVqUX5MClpDhYl
cV5VrXd+QgLpiSWp2ampBalFMFkmDvZDjDIcHEoSvF0gkwWLUtNTK9Iyc0qQ1XCCCC6QNTxA
axpACnmLCxJzizPTIYpOMepyXPjVdp5RiCUvPy9VSpw3FqRIAKQoozQPbhgoadT/////EqOs
lDAvIwMDgxAP0DXAQEDIg5LOK0ZxYAAI80aCTOHJzCuB2/QK6AgmoCM48qRAjihJREhJNTCe
rihwM7EvKbNa9332v2PRlwIut69msHI/ZiT0b3mjbUY6D0emph7v6rvWbnyM+zafmnV/G/NF
2yd3Hnm/uqWUJZh9J5f1uF5outxeLa1jaX+1g5VnKVvy/ON71mSkedHxCnu9776de+5IXDA/
PUuLQ6T7R7hnas3M9Tp8Xpo+R16K7z1b912JpTgj0VCLuag4EQDmOFDoFQMAAA==
X-Mailman-Approved-At: Mon, 23 Jan 2012 18:00:39 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: the ftp client can pass an unterminated string to fopen()
>Severity: non-critical
>Priority: low
>Category: krb5-appl
>Class: sw-bug
>Release: 1.0.2
>Environment:
System: Linux blade.bos.redhat.com 3.2.1-5.fc17.x86_64 #1 SMP Tue Jan 17 18:57:18 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
>Description:
Siddhesh Poyarekar notes that the file mode that is passed to
fopen() via recvrequest() when "ftp" is executing an "mls" or "mdir"
command isn't properly terminated.
>How-To-Repeat:
We've gotten sporadic reports about this causing the client to fail in
cases where the next byte on the stack happens to be 'x', but nothing
reliably reproducible at this point.
>Fix:
There are multiple variations on a fix, but here's Siddhesh's patch:
--- a/gssftp/ftp/cmds.c 2012-01-12 13:06:12.827204828 +0530
+++ b/gssftp/ftp/cmds.c 2012-01-12 13:06:08.978204741 +0530
@@ -1685,7 +1685,7 @@ voip mls(argc, argv)
{
sig_t oldintr;
int ointer, i;
- char *volatile cmd, rmode[1], *dest;
+ char *volatile cmd, rmode[2], *dest;
if (argc < 2 && !another(&argc, &argv, "remote-files"))
goto usage;
@@ -1709,7 +1709,8 @@ usage:
oldintr = signal(SIGINT, mabort);
(void) setjmp(jabort);
for (i = 1; mflag && i < argc-1; ++i) {
- *rmode = (i == 1) ? 'w' : 'a';
+ rmode[0] = (i == 1) ? 'w' : 'a';
+ rmode[1] = 0;
recvrequest(cmd, dest, argv[i], rmode, 0, 0);
if (!mflag && fromatty) {
ointer = interactive;
More information about the krb5-bugs
mailing list